Amazon's cloud services get approval under FISMA

The General Services Administration has put its stamp of approval on Amazon Web Services to provide cloud services in compliance with the Federal Information Security Management Act.

The accreditation covers Amazon Elastic Compute Cloud (EC2), Simple Storage Service (S3) and Virtual Private Cloud (VPC), along with their underlying infrastructure, the company said in a release.

Amazon Web Services joins Google Apps for Government and Microsoft’s Business Productivity Online Suite among cloud services that can say they’re certified under FISMA.

AWS’ accreditation covers FISMA’s low and moderate levels, the company said. Moderate Authorization and Accreditation requires a set of security configurations and controls that includes documenting the management, operational and technical processes used in securing physical and virtual infrastructure, and a requirement for third-party audits.

With federal agencies moving increasingly to the cloud, providers have been racing to claim FISMA accreditation and/or certification, even if the term is something of a misnomer.

Microsoft and Google had a war of words in April over Google’s claim of certification for Google Apps for Government, which eventually was settled when GSA backed Google’s claim. Shortly afterward, BPOS also got GSA’s blessing.

But as GCN’s William Jackson pointed out, FISMA doesn’t require certification of products or services, and doesn’t apply to vendors. It sets security requirements for federal IT systems.

That’s where GSA and the National Institute of Standards and Technology come in. Having to accredit each federal system that moves to the cloud would overwhelm agencies and defeat the purpose of cloud computing, which aims to increase efficiency and cut costs. So GSA, using NIST-developed standards, accredits products and services for governmentwide use.

The Federal Risk and Authorization Management Program, better known as FedRAMP, sets baseline security requirements, coordinates and manages authorization, and provides risk assessments. Among its goals is increasing agencies’ trust in the cloud.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

inside gcn

Reader Comments

Mon, Sep 19, 2011
Craig Klingler
DC Metro

Amazon's cloud services get approval under FISMA. What does this really indicate? I’m pro Cloud Services from an economic and time to market perspective. But my trade is IT Security and I share the same concerns as many. I’ve been working with several clients that have either deployed on SalesForce or are working on services using SalesForce. SalesForce received ATO from GSA in May 2011 based on a FISMA evaluation by Ernest and Young. Salesforce was kind enough to let me view their C&A (SSP, ST&E, POAMs, Residual Risk) and as most C&As they had findings, most of which had already been corrected. I’ve become more impressed with Salesforce the more I learn about them, especially their Force.com platform. However, the user of any SalesForce service inherits their risks along with the Security Controls that will be inherited. With any system, SalesForce and all Cloud providers risks will rise and fall with the industry. I can only hope that FedRAMP will become a single point of contact that I can contact and find out the latest risks on any cloud provider I’m working with a client on. An ATO does not indicate a risk free system (as if one could exist), it indicates the DAA has been made aware of all the risks, including those inherited from a Cloud Provider and has determined there is a plan in place to deal with residual risk and will authorize the system to operate.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.